PCI is Not for Dummies

It seems like everyone (including this author) today has an opinion on the value of the PCI DSS and the card brand programs.  In March, 2009 Congress held hearings on the standard and there are a number of companies that make a living from the program.No matter people’s view of the PCI DSS, my own experience has led me to believe that something is needed to secure the data in our industry.There are two basic approaches to solving the problem of increasing data compromises.  First, is traditional compliance/risk management.  This assumes that a merchant has the data and must therefore secure the data.  This is traditional PCI compliance and risk management.  The second approach is the one of which I am a proponent.  I will generically call these ‘alternative’ compliance solutions.  With these solutions, the value of the data is reduced or removed.  While much has been written recently about end to end encryption, this is really only one approach that I would classify as one of the alternative solutions.

Several companies have made huge strides in the industry to remove the value of data.Replaced with some abstract description of these data.Although a number of companies have created similar solutions, companies like Shift4, and MerchantLink defined these types of solutions.  These types of solutions have worked well in the complex retail environments. MagTek and Semtek created encrypted magnetic stripe readers that allow data to be rendered unreadable from the point of swipe.These solutions provide huge benefits for smaller, level 4 merchants when used with virtual terminals and other technologies.  Companies like TrustCommerce, and ProPay have successfully deployed these solutions to remove data from their merchants’ environments. 

As we continue to move through 2009, we will continue to see solutions such as these enter the market.  It is difficult to dispute that these types of solutions are needed in the industry.  For those who have been active in the PCI world as either QSAs, ASVs, or other capacities, it is understood that traditional compliance simply does not work well in level 4 merchant environments.   If you have not had a chance to take a look at the alternative solutions, I would encourage you to do so.  Some of the solutions will not only remove data, thus reducing your risk, they will also provide some reprieve from compliance with some of the PCI DSS requirements.